Administration Console Online Help

Servers: Configuration: Keystores

Keystores ensure the secure storage and management of private
keys and trusted certificate authorities (CAs). This page lets you view
and define various keystore configurations. These settings help you to
manage the security of message transmissions.

WebLogic Server is configured with a default identity keystore (
DemoIdentity.jks) and a default trust keystore (
DemoTrust.jks). In addition, WebLogic Server trusts the CA
certificates in the JDK cacerts file. This default keystore
configuration is appropriate for testing and development purposes.
However, these keystores should not be used in a production
environment.

After you configure identity and trust keystores for a WebLogic Server
instance, you can configure its SSL attributes. These attributes include
information about the identity and trust location for particular server
instances. Use the Configuration: SSL page to specify this
information.

For purposes of backward compatibility, WebLogic Server lets you store
private keys and trusted certificates authorities in files or in the
WebLogic Keystore provider. If you use either of these mechanisms for
identity and trust, choose the Files or Keystore Providers (Deprecated)
option on the Configuration: SSL page.

Note: When using the WebLogic Keystore provider, digital
certificates are stored in files.

The path name must either be absolute or relative to where the
server was booted. The custom identity key store file name is only
used if KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST,
CUSTOM_IDENTITY_AND_CUSTOM_TRUST or
CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

If empty or null, then the JDK's default keystore type
(specified in java.security) is used. The custom
identity key store type is only used if KeyStores is
CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST,
CUSTOM_IDENTITY_AND_CUSTOM_TRUST or
CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

The encrypted custom identity keystore's passphrase. If empty or
null, then the keystore will be opened without a passphrase.

This attribute is only used if KeyStores is
CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST,
CUSTOM_IDENTITY_AND_CUSTOM_TRUST or
CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

When you get the value of this attribute, WebLogic Server does
the following:

Retrieves the value of the
CustomIdentityKeyStorePassPhraseEncrypted
attribute.

Decrypts the value and returns the unencrypted password as a
String.

When you set the value of this attribute, WebLogic Server does
the following:

Encrypts the value.

Sets the value of the
CustomIdentityKeyStorePassPhraseEncrypted attribute to
the encrypted value.

Using this attribute
(CustomIdentityKeyStorePassPhrase) is a potential
security risk because the String object (which contains the
unencrypted password) remains in the JVM's memory until garbage
collection removes it and the memory is reallocated. Depending on
how memory is allocated in the JVM, a significant amount of time
could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use
CustomIdentityKeyStorePassPhraseEncrypted.

The custom trust keystore's passphrase. If empty or null, then
the keystore will be opened without a passphrase.

This attribute is only used if KeyStores is
CUSTOM_IDENTITY_AND_CUSTOM_TRUST.

When you get the value of this attribute, WebLogic Server does
the following:

Retrieves the value of the
CustomTrustKeyStorePassPhraseEncrypted attribute.

Decrypts the value and returns the unencrypted password as a
String.

When you set the value of this attribute, WebLogic Server does
the following:

Encrypts the value.

Sets the value of the
CustomTrustKeyStorePassPhraseEncrypted attribute to
the encrypted value.

Using this attribute
(CustomTrustKeyStorePassPhrase) is a potential
security risk because the String object (which contains the
unencrypted password) remains in the JVM's memory until garbage
collection removes it and the memory is reallocated. Depending on
how memory is allocated in the JVM, a significant amount of time
could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use
CustomTrustKeyStorePassPhraseEncrypted.

The password for the Java Standard Trust keystore. This password
is defined when the keystore is created.

If empty or null, then the keystore will be opened without a
passphrase.

This attribute is only used if KeyStores is
CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST or
DEMO_IDENTITY_AND_DEMO_TRUST.

When you get the value of this attribute, WebLogic Server does
the following:

Retrieves the value of the
JavaStandardTrustKeyStorePassPhraseEncrypted
attribute.

Decrypts the value and returns the unencrypted password as a
String.

When you set the value of this attribute, WebLogic Server does
the following:

Encrypts the value.

Sets the value of the
JavaStandardTrustKeyStorePassPhraseEncrypted attribute
to the encrypted value.

Using this attribute
(JavaStandardTrustKeyStorePassPhrase) is a potential
security risk because the String object (which contains the
unencrypted password) remains in the JVM's memory until garbage
collection removes it and the memory is reallocated. Depending on
how memory is allocated in the JVM, a significant amount of time
could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use
JavaStandardTrustKeyStorePassPhraseEncrypted.